Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule S2068: detect hard-coded passwords in web.config files #6182

Merged
merged 12 commits into from
Oct 12, 2022
Merged

Rule S2068: detect hard-coded passwords in web.config files #6182

merged 12 commits into from
Oct 12, 2022

Conversation

pavel-mikula-sonarsource
Copy link
Contributor

Contributes to #5427

@pavel-mikula-sonarsource pavel-mikula-sonarsource marked this pull request as draft October 7, 2022 13:15
@github-actions github-actions bot added this to In progress in Best Kanban Oct 7, 2022
@github-actions github-actions bot moved this from In progress to Review in progress in Best Kanban Oct 7, 2022
Base automatically changed from Pavel/RefactorParameters to master October 10, 2022 07:26
martin-strecker-sonarsource
martin-strecker-sonarsource requested changes Oct 10, 2022
View reviewed changes
analyzers/src/SonarAnalyzer.Common/Rules/Hotspots/DoNotHardcodeCredentialsBase.cs Outdated Show resolved Hide resolved
analyzers/src/SonarAnalyzer.Common/Rules/Hotspots/DoNotHardcodeCredentialsBase.cs Outdated Show resolved Hide resolved
analyzers/src/SonarAnalyzer.Common/Rules/Hotspots/DoNotHardcodeCredentialsBase.cs Outdated Show resolved Hide resolved
analyzers/src/SonarAnalyzer.Common/Rules/Hotspots/DoNotHardcodeCredentialsBase.cs
const string UriPasswordSpecialCharacters = Rfc3986_Unreserved + Rfc3986_Pct + Rfc3986_SubDelims;
// See https://tools.ietf.org/html/rfc3986 Userinfo can contain groups: unreserved | pct-encoded | sub-delims
var uriUserInfoPart = @"[\w\d" + Regex.Escape(UriPasswordSpecialCharacters) + "]+";
uriUserInfoPattern = new Regex(@"\w+:\/\/(?<Login>" + uriUserInfoPart + "):(?<Password>" + uriUserInfoPart + ")@", RegexOptions.Compiled);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to rfc3986 more than one : is allowed in the userinfo. I assume, that the password group should also accept :.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the comment. Can you provide more detailed explanation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not really changed anything of this logic, I just moved it to different place

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a valid userinfo that does not match the regex:
https://user:passwordWith:isOkay@example.org/ This is how I read the grammar in the RFC, but I could be mistaken. At least .Net thinks so too sharplab.io

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to extract the full password. So changing it will make the regex more expensive, without affecting the results.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is that the : is not in the <Password> group and because of the trailing @, the regex doesn't match at all. The password group must be "[\w\d" + Regex.Escape(UriPasswordSpecialCharacters) + ":]+".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll try in another PR

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #6199

...s/tests/SonarAnalyzer.UnitTest/TestCases/WebConfig/DoNotHardcodeCredentials/Valid/Web.config Show resolved Hide resolved
...s/tests/SonarAnalyzer.UnitTest/TestCases/WebConfig/DoNotHardcodeCredentials/Valid/Web.config Show resolved Hide resolved
@github-actions github-actions bot moved this from Review in progress to In progress in Best Kanban Oct 10, 2022
@pavel-mikula-sonarsource pavel-mikula-sonarsource marked this pull request as ready for review October 10, 2022 14:44
@github-actions github-actions bot moved this from In progress to Review in progress in Best Kanban Oct 10, 2022
martin-strecker-sonarsource
martin-strecker-sonarsource reviewed Oct 11, 2022
View reviewed changes
Copy link
Contributor

@martin-strecker-sonarsource martin-strecker-sonarsource left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The test for EF6 connection string should be updated to test the interesting case of an &quote; as a delimiter and there are some improvements for the RegEx possible or need a followup PR.

...s/tests/SonarAnalyzer.UnitTest/TestCases/WebConfig/DoNotHardcodeCredentials/Valid/Web.config Show resolved Hide resolved
Best Kanban automation moved this from Review in progress to Review approved Oct 11, 2022
@sonarcloud
Copy link

sonarcloud bot commented Oct 11, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@sonarcloud
Copy link

sonarcloud bot commented Oct 11, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

@pavel-mikula-sonarsource pavel-mikula-sonarsource merged commit 19f6fdb into master Oct 12, 2022
Best Kanban automation moved this from Review approved to Validate Peach Oct 12, 2022
@pavel-mikula-sonarsource pavel-mikula-sonarsource deleted the Pavel/S2068-webconfig branch October 12, 2022 06:45
@pavel-mikula-sonarsource pavel-mikula-sonarsource moved this from Validate Peach to Done in Best Kanban Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martin-strecker-sonarsource martin-strecker-sonarsource martin-strecker-sonarsource approved these changes

Assignees

@pavel-mikula-sonarsource pavel-mikula-sonarsource

Labels
None yet
Projects
Best Kanban
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pavel-mikula-sonarsource @martin-strecker-sonarsource